HackDig : Dig high-quality web security articles for hacker

Author’s Note: We at Malwarebytes continue to do our part in educating our product users and constant blog readers about day-to-day online threats and how they can avoid falling prey to them. “PUP Friday”, our latest attempt at getting users acquainted with files they may need to watch out for in the Wild Web, offers an in-depth look at some interesting and quite notable potentially unwanted programs (PUPs). Expect to see this type of content pushed out twice a month at the end of a work week.

We have discussed DNS hijackers in general in the past. This week, we like to have a look at an example called TopFlix. It belongs to a family of adware that we call DNSUnlocker.

How do people get infected?

This one is pushed by a bundle wrapper called SoftPulse. SoftPulse uses advertisements to lure users into downloading and installing “useful” applications like Java or Flash Player from their servers and to spice things up a bit they add some extra ingredients of their own.

A current example of how the SoftPulse bundle installer looks

Depending on your geolocation and maybe some other parameters, you’d see some additional offers to digest along with the main course.

TopFlix was presented as a media-player during recent install procedures.

Installation

Once the bundle wrapper triggers the installation of TopFlix, you’d be able to read their EULA as it should be, but in these cases, it’s not always shown. Since you have already allowed the wrapper to run, they don’t need to ask for your permission to install the extras. You have implicitly and are probably unaware that you already allowed them. This one also includes a link to their Privacy Policy.

Scrolling down a bit in the EULA, you may notice this warning about you giving the “Services” permission to change your DNS settings:

In my book, that’s a deal breaker. Do not ever allow anyone to control your DNS settings. The ramifications of changing them can range from extra content to being unable to reach any Web address at all.

The installer offers us another warning still further down, and lets us know that the Service “may”—trust me, it will—contain unsupervised third-party content:

Third-party content

From what we’ve seen, the above-mentioned third-party content comes as text popups, which are little advertisements that show up when you hover over certain keywords—